Results 1 to 25 of 31
-
11-27-2015, 03:40 PM #1Web Hosting Master
- Join Date
- Nov 2006
- Location
- Toronto, Canada
- Posts
- 816
What's your recommendation for a 1Gbps hardware firewall?
Hi
I am looking to purchase a hardware firewall to be strictly used for web hosting business. It needs to support 1Gbps uplink throughput. It would be a bonus if it has two WAN links for load balancing and fail-over (planning for future but that's not a immediate requirement).
What's your recommendation? $2000 max budget for it. Obviously reliability is top priority based on its intended usage as I don't want to keep rebooting it every few days or occur a lot of downtime because of it.
Thanks!Last edited by BoomHost-Kumar; 11-27-2015 at 03:46 PM.
-
11-27-2015, 05:08 PM #2Web Hosting Guru
- Join Date
- Oct 2009
- Posts
- 309
Juniper SRX210 for example, I would recommend to take the high memory version (H or H2)
SRX220 has 8 GigE ports; http://www.amazon.com/Juniper-SRX220.../dp/B0046SMVXQ
-
11-27-2015, 07:52 PM #3Web Hosting Master
- Join Date
- Nov 2006
- Location
- Toronto, Canada
- Posts
- 816
Thanks for the suggestion. I will keep that as an option.
I forgot to mention in my original post that whatever the hardware firewall recommended here need to support *multiple* public IP addresses. Each server (behind the hardware firewall) will have one or more public IP addresses assigned to it. There will be no private IP to public IP NATing required.
Having said that, I also came across PFSense SG-2440 and SG4860 - https://www.pfsense.org/products/
Do web hosts normally make use of such open source code powered hardware firewalls?
-
11-27-2015, 09:17 PM #4WHT Addict
- Join Date
- Oct 2011
- Posts
- 151
Peplink is built exactly the reason of balancing multiple WAN uplinks and firewalling. The servers behind the router can have multiple IP addresses -- no problem. These also do Authoritative DNS and hands out which WAN IP makes the most sense (ie, is up and under loaded).
So here's the conundrum... you want redundancy hence the reason for multiple WANs. Well having one router is a single point of failure. The mid to high end Peplinks offer VRRP, Virtual Routing Protocol, which allow two routers to be placed in an active / standby relationship. So no more single point of failure.
These do require a switch to be placed on the LAN side. This creates another single point of failure, which can be eliminated with a set of stackable switches.
The Peplink 305 is around $1700. It supports 1GB throughput.
Stacking switches from netgear cost around $280 w/lifetime warranty.
Here's a link to Peplink lineup: http://www.peplink.com/products/bala...el-comparison/
-
11-27-2015, 10:26 PM #5Web Hosting Master
- Join Date
- Nov 2006
- Location
- Toronto, Canada
- Posts
- 816
Thanks for the Peplink recommendation.
You're right! But, on my original post I actually meant to say failover for the actual WAN connections (meaning if one provider's link goes down the other link continues to work, hence the reason for two WAN links). I didn't mean failover for the device itself.
For my scenario I am not liking this idea for some reason...I prefer a device like Juniper (above recommended) where it has certain number of built-n LAN 1Gbps ports on the same device.
My background is in primarily managing ASA devices and I prefer that way but unfortunately it is little too pricey for the 1Gbps model they offer. So, far Juniper and PFSense sound promising to me and I am sure single WAN connection port will do for now.
-
11-27-2015, 11:47 PM #6Web Hosting Master
- Join Date
- Apr 2004
- Location
- Singapore
- Posts
- 1,234
Cisco ASA5512-K9
http://www.amazon.com/Cisco-ASA5512-...M2396KHPC0VZQDAlan Woo, alan [@] ne.com.sg
= NewMedia Express Pte Ltd (AS38001)
= IP Transit, Colocation & Dedicated Servers in Singapore | Hong Kong | Tokyo | Seoul | Jakarta |
= Singapore Speedtest speedtest.sg
-
11-28-2015, 07:37 AM #7WHT Addict
- Join Date
- Apr 2011
- Posts
- 112
Take a look to Mikrotik Cloudcore routers, they can do BGP and many others cool things.
-
11-28-2015, 11:04 AM #8Web Hosting Master
- Join Date
- Nov 2006
- Location
- Toronto, Canada
- Posts
- 816
It looks cool but does it also have firewall capability? Hard to tell as there is hardly any mention of it. I am looking at their CCR1009-8G-1S-1S+ model. Also, I have no idea how easy/complicated it is to setup and maintain...as I never worked with it before. Also getting proper online support (forums, etc) is critical these days to get advise and troubleshoot issues but that doesn't look promising with "microtik" devices in today's market.
-
11-28-2015, 11:14 AM #9WHT Addict
- Join Date
- Apr 2011
- Posts
- 112
Any router can do routing.
Mikrotik has many features including including management tools (web/cli/mgnt software), take a look by yourself. I don't know any router that beats Mikrotik price/performance.
http://wiki.mikrotik.com/wiki/Manual:RouterOS_features
http://forum.mikrotik.com/
-
11-28-2015, 05:42 PM #10Temporarily Suspended
- Join Date
- Nov 2015
- Posts
- 6
Cisco ASA 5508-X and Watchguard XTM 515 could be a good options in your price range.
-
11-30-2015, 05:23 PM #11WHT Addict
- Join Date
- Feb 2014
- Posts
- 149
I second the Mikrotik. I have used them for many years now and for the price and performance you can't beat them. They have forums and there is companies out there that do tech support for them. I currently have 2 Mikrotik routers stacked in failover setup. If one router fails the other will take over with VRRP. They have a full firewall that you should be able to do anything you want with it. There is no issues with setting up multiple BGP sessions for load balancing or redundancy.
█ HostGo Hosting | High Performance Cloud Hosting since 1999
█ 24x7x365 US Based Concierge Support for Web Designers and Developers
█ Shared | VPS | Reseller | Dedicated | Domains | SSL Certificates | Office 365 | Cloud Backup
█ cPanel | Cloud Linux | Managed Servers | Managed WordPress | Web Application Firewall
-
11-30-2015, 06:17 PM #12Web Hosting Master
- Join Date
- Oct 2011
- Location
- Ashburn, Virginia
- Posts
- 653
A few of my customers are using vyOS (Vyatta Fork).
LionLink Networks
Ashburn Data Center Colocation, Infrastructure Solutions, and Premium Optimized Connectivity
Infrastructure and Colocation Solutions For All Sizes - Managed Services - Dedicated Servers - Data Center Consulting - Now POP'd @ RagingWire! | www.lionlink.net | sales@lionlink.net | (844) DATA-CENTER | Ashburn Colocation
-
11-30-2015, 08:56 PM #13WHT Addict
- Join Date
- Sep 2010
- Posts
- 155
1 word - SOPHOS. Cannot go wrong here. We've had multiple in production environment, and never had issues.
They have a great software and very high limitations. Their licensing is also very financially viable compared to other alternatives. When we find products/solutions that work well, then we reccommend it to everyone. That's when you know a company does a good job, when the clients are spreading the word by choice.
They have various devices in their product line depending on the sizing you require. Their product line is EASILY able to handle what you described. As a matter of fact, their top device has a 60GBPS firewall throughtput.
-
11-30-2015, 09:01 PM #14WHT Addict
- Join Date
- Sep 2010
- Posts
- 155
http://www.firewalls.com/sophos-utm-...Fc4XHwodX1EOdg
11gbps throughtput.
Note: I am not in any way associated with firewalls.com or Sophos.
-
12-01-2015, 12:00 AM #15Web Hosting Master
- Join Date
- Jan 2008
- Location
- Jax, FL
- Posts
- 2,707
The SRX units are awesome, I have a ton of these deployed and they are rock solid and very flexible.
Just keep in mind that the SRX210 and SRX220 cannot handle line-rate 1Gbps IMIX traffic. Large packets no issue, but real world traffic the SRX210 supports 250Mbps throughput and SRX220 300Mbps.
The SRX550 is the first device in the SRX line that advertises IMIX processing of higher than 1Gbps. The SRX240 is a great unit and with some tweaks can easily handle the 1Gbps of traffic (rated at 600Mbps natively).
-Daniel█ Daniel | Server Complete, LLC
█ INSTANTLY DEPLOYED Bare Metal Servers
█ Wholly owned hardware and self operated network (AS19531) in Jacksonville, FL
-
12-01-2015, 12:10 AM #16
VyOS is a good option but I haven't seen many appliances with it. If i'm not mistaken, VyOS is based on the open source version of Vyatta or the "Community Edition" and not the Enterprise version so that is something to also think about if you elect VyOS.
We prefer Juniper but that is because Juniper makes up most of our networking. You can't go wrong with Cisco either.
I can't speak to Sophos as we have never used any of their security appliances.██ Cloud Mosaic by NortheBridge
██ High Performance Global Cloud | Contact Us: hello@northebridge.com
██ Apps & Stacks: WordPress | Magento | Drupal | Ghost | Redmine | LAMP
██ Node.js | Gitlab | MEAN | Nginx | Django | cPanel | Plesk | Windows & Linux
-
12-01-2015, 06:14 AM #17WHT Addict
- Join Date
- Apr 2011
- Posts
- 112
Please note that throughput is not the same as routing performance. Router Performance is measured in Packets Per Second (PPS).
quote from other network-related forum:
This is commonly misunderstood, the performance difference between the interface and the device.
The interface has dedicated hardware that can transmit or receive the L2 frame at wire-speed. I.e. an Ethernet gig interface can transmit or receive an individual frame at gig.
Often an interface might have additional hardware, that it can send or receive multiple frames, back-to-back, at full wire-speed too.
However, on software based routers, the main CPU normally needs to "process" the packets, and depending on how fast a processor it has, it can only process packets at some maximum rate. You'll normally see this listed as packets-per-second (PPS) for different packet sizes. (NB: in olden times, often rate was quoted for maximum sized packets, now it's generally quoted for minimum sized packets.)
Often the performance of a small router cannot substain an interface continuously running at wire speed.
Some thing else to understand, processing a packet is somewhat independent of its size. So you'll also find a software based router's capability to pass packets at a certain "bandwidth" decreases as the frame/packet size decreases and conversely increases as the frame/packet size increases. (NB: as noted earlier, this is why bandwidth throughput used to be quoted for maximum size packets, bandwidth throughput performance looked much, much better on marketing literature.)
If you're wondering why have interfaces that support much higher "bandwidths" than the router itself can, there's are several reasons. First, individual frames/packets have less serialization delay. Second, vendors probably treat some hardware components as commodities, i.e. it's less expensive to use the same interface hardware on multiple routers. Third, it looks better in the marketing literature (i.e. two gig interfaces rather than two 10 Mbps interfaces).
-
12-01-2015, 02:47 PM #18WHT Addict
- Join Date
- Sep 2010
- Posts
- 155
-
12-01-2015, 04:16 PM #19Newbie
- Join Date
- Mar 2015
- Posts
- 12
-
12-01-2015, 10:43 PM #20Web Hosting Master
- Join Date
- Nov 2006
- Location
- Toronto, Canada
- Posts
- 816
-
12-10-2015, 04:19 PM #21Junior Guru
- Join Date
- Nov 2010
- Posts
- 190
Two pieces of Allied Telesis AT-AR4050S running in a active/passive cluster will cost you ~1400$
-
12-11-2015, 03:04 PM #22Junior Guru Wannabe
- Join Date
- Sep 2014
- Location
- New York, NY
- Posts
- 74
Look at Ubiquiti EdgeRouter, Fortigate (models 60D+) and the new Sonicwalls (model TZ400+)... there is a real lack of inexpensive firewalls that can handle 1gbps connections at the moment...
Silicon Servers: Server Colocation in New York City and New Jersey http://www.siliconservers.com
-
12-15-2015, 07:02 PM #23Premium Member
- Join Date
- Mar 2004
- Posts
- 56
Is your gigabit connection going to be fiber? Because most of these firewalls have copper gigabit ports; manufacturers seem reluctant to provide SFP ports. I see many of the same copper interface offerings from a decade ago!
For the Peplink, you've got to spring for the highest model (2500) to get an SFP. Sophos--you'll have to climb to the 310. pfSense--no fiber options at all. (Of course you can use a converter, but you'd be adding another point of failure.)
The Juniper takes fiber as does the Allied Telesis--this is a neat one, haven't seen this one before, so I'm printing the data sheet on it right now.EndOffice, LLC
www.endoffice.com
sales[at]endoffice[dot]com; (855) 670-9191
Colocation and dedicated servers since 2006.
-
12-15-2015, 10:05 PM #24Web Hosting Master
- Join Date
- Nov 2006
- Location
- Toronto, Canada
- Posts
- 816
-
01-13-2016, 03:53 AM #25Premium Member
- Join Date
- Mar 2004
- Posts
- 56
EndOffice, LLC
www.endoffice.com
sales[at]endoffice[dot]com; (855) 670-9191
Colocation and dedicated servers since 2006.
Similar Threads
-
what`s your suggestions for adult site?
By greggi in forum Web HostingReplies: 27Last Post: 01-28-2006, 07:35 AM -
Dedicated Servers - What is YOUR recommendation?
By seg fault in forum Dedicated ServerReplies: 12Last Post: 06-20-2002, 12:02 PM -
What is your DREAM for your Web Hosting Company?
By Rewdog in forum Running a Web Hosting BusinessReplies: 41Last Post: 12-30-2001, 05:46 AM